topic Re: CheckPoint Quantum 1600 Cluster stronger authentication required in Spark Firewall (SMB)

CheckPoint Quantum 1600 Cluster stronger authentication required

LM-Rafael — Wed, 08 Jan 2025 21:53:23 GMT

Hi,

i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.

What can i do to solve this issue?

Thanks for Help

Rafael

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

PhoneBoy — Thu, 09 Jan 2025 03:37:11 GMT

By what evidence do you conclude "I can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server"?

According to a TAC case with a similar error, we only supports LDAP simple binds and you need to disable LDAP server signing.
See: https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

LM-Rafael — Thu, 23 Jan 2025 22:12:49 GMT

Hi PhoneBoy,

On the Windows Server 2022 Test AD Server, everything is running fine, and I can connect my firewall using LDAP. However, with the 2025 Datacenter AD Server, it is not possible, and I get the following error (see picture_1) when I click "Discover."

I have disabled the forced LDAPS requirement, but this did not resolve the issue. The output from LDP.exe confirms that access on port 389 without SSL is possible.

Where am I making a mistake?

Thanks and best regards,
Rafael

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

PhoneBoy — Fri, 24 Jan 2025 00:40:02 GMT

Have you disabled LDAP Server Signing as mentioned in the article I liked?

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

LM-Rafael — Sun, 26 Jan 2025 12:45:55 GMT

Hi PhoneBoy,

no i have only problems when i disable ldap server signing.

With Server 2022 everything running fine (a separate dev environment).

Have you an other article for disable server signing?

Thanks

Rafael

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

LM-Rafael — Sun, 26 Jan 2025 22:23:59 GMT

Hi PhoneBoy,

i have try to enable simple bind but i think it is not possible on Windows Server 2025. I have try 3 different How To’s unsuccessfully. ldp.exe write me -> This server needs stronger Authentication.

What can i do now?

Thanks

Rafael

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

Chris_Atkinson — Mon, 27 Jan 2025 01:31:24 GMT

If you're already using R81.10.15 and this isn't working please report the issue to TAC for investigation.

Pending their feedback & consultation with R&D it may require an RFE

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Tue, 06 May 2025 11:21:08 GMT

Maybe this can be resolved by disabling LDAP Server Signing, but our customer does not want to do that ! So we have opened a SR# for him...

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Tue, 06 May 2025 11:28:36 GMT

TAC responded:

As a first step, it's recommended to perform a firmware version upgrade on the device to a newer version, R81.10.17 you can download the firmware image from the following download link:
R81.10.17 Download link for 1530.

Please let me know if the issue persist after the firmware upgrade.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Wed, 14 May 2025 09:42:32 GMT

Of course, upgrade did not resolve the issue and the SR# has no solution yet - and the customer is not willing to disable ldap server signing as this would mean to lower security on one end to get more security on the other. Also it looks like this procedure does not resolve the issue in all cases, if i sum up the discussion above. @Amir_Ayalon , any comments ?

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Tue, 10 Jun 2025 08:57:43 GMT

TAC currently is preparing the documentation on the limitation for the Windows 2025 server. First statement was that there is a limitation with Windows server 2025. As a workaround the options available are to either work with older versions, or disable the LDAP signing.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Tue, 10 Jun 2025 13:12:59 GMT

Can you confirm that this is an issue relevant for GAiA Embedded only ? TAC did not mention that GAiA has the same issue, so if this is only SMB, please move the post to SMB !

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

PhoneBoy — Tue, 10 Jun 2025 15:26:41 GMT

This seems like it's just SMB related.
Probably should have moved this post earlier 🙂

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Mon, 16 Jun 2025 14:20:46 GMT

I have news from R&D: The issue also impacts Gaia devices as well.

We would like to inform you that Windows Server 2025 is currently not officially supported
for Active Directory integration with the gateway. When attempting to connect the gateway
to an AD server running Windows Server 2025, the integration fails during the LDAP bind
phase (simple bind).

Our teams are actively working on delivering a solution for this issue.

However, please note that we do not have an estimated timeline at this stage, so this is
currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing, Please be aware that
this is not recommended due to the associated security risks.

Alternatively, we recommend using a supported version such as Windows Server 2022.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

PhoneBoy — Tue, 17 Jun 2025 14:50:13 GMT

Do you have an SR I can review on this?

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Wed, 18 Jun 2025 07:53:27 GMT

Not ready yet - but i will PM the SR#.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

LM-Rafael — Thu, 19 Jun 2025 06:15:39 GMT

Hi everyone,

I was able to resolve the issue by installing the latest Gaia Embedded firmware on the 1600 appliance and configuring Entra ID integration.
Now, users can connect via VPN, and authentication is handled through Microsoft Entra with two-factor authentication.

I'm very happy with this solution.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Mon, 23 Jun 2025 13:58:41 GMT

So the issue is not resolved, it is working now as you changed from DC LDAPS to Entra ID...

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

Tom_Hinoue — Tue, 24 Jun 2025 00:41:48 GMT

I got a different answer regarding the recommended support ver.. in my SR, RnD advised to use Windows Server 2019 and below which is the supported version, not 2022. Hope we get clear answers soon.

Re: CheckPoint Quantum 1600 Cluster stronger authentication required

G_W_Albrecht — Tue, 24 Jun 2025 07:43:48 GMT

Your answer was not so very different - TAC told us to use versions older than Server 2025, on June 16th:

Our teams are actively working on delivering a solution for this issue.

However, please note that we do not have an estimated timeline at this stage, so this is currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing, Please be aware that this is not recommended due to the associated security risks.

Alternatively, we recommend using a supported version such as Windows Server 2022.